MSDN Documentation

OAuth 2.0 Authorization Framework

This guide provides a comprehensive overview of the OAuth 2.0 authorization framework and how to implement it with Microsoft APIs. OAuth 2.0 is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.

What is OAuth 2.0?

OAuth 2.0 is a protocol that allows a user to grant a third-party application limited access to their resources without exposing their credentials. It works by issuing access tokens, which are like temporary keys that grant specific permissions for a limited time.

Key Roles in OAuth 2.0

• Resource Owner: The user who owns the data.
• Resource Server: The server hosting the protected resources (e.g., Microsoft Graph API).
• Client: The application requesting access to the user's resources.
• Authorization Server: The server that issues access tokens after verifying the user's identity and authorization.

Common OAuth 2.0 Flows

OAuth 2.0 defines several flows (grant types) to accommodate different client types and scenarios:

1. Authorization Code Flow

This is the most common and secure flow for web applications. It involves redirecting the user to the authorization server to grant consent, and then exchanging an authorization code for an access token.

// Pseudocode for Authorization Code Flow
// Client redirects user to Authorization Server
const authUrl = `${AUTH_SERVER}/authorize?client_id=${CLIENT_ID}&redirect_uri=${REDIRECT_URI}&response_type=code&scope=${SCOPES}`;
window.location.href = authUrl;

// On redirect back to client's redirect_uri
const authorizationCode = getQueryParam('code');

// Client exchanges code for token
fetch(`${AUTH_SERVER}/token`, {
    method: 'POST',
    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
    body: `grant_type=authorization_code&code=${authorizationCode}&redirect_uri=${REDIRECT_URI}&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}`
})
.then(response => response.json())
.then(data => {
    const accessToken = data.access_token;
    // Use accessToken to access protected resources
});

2. Implicit Flow

Suitable for single-page applications (SPAs) where a client secret cannot be securely stored. The access token is returned directly in the URL fragment after the user grants consent. This flow is less secure and generally discouraged in favor of Authorization Code Flow with PKCE.

3. Client Credentials Flow

Used for machine-to-machine communication where the client is accessing its own resources or acting on its own behalf, without direct user involvement. The client authenticates directly with the authorization server using its client ID and secret.

4. Resource Owner Password Credentials Flow

The user provides their username and password directly to the client, which then exchanges them for an access token. This flow should only be used for trusted clients and is generally discouraged due to security risks.

Scopes and Permissions

Scopes define the specific permissions that an access token grants. For example, a scope might allow an application to read a user's profile information but not modify it. Always request the minimum necessary scopes.

Token Types

• Access Token: A credential used to access protected resources.
• Refresh Token: Used to obtain a new access token when the current one expires, without requiring the user to re-authenticate.
• ID Token: (OpenID Connect) Contains information about the authenticated user.

Implementing OAuth 2.0 with Microsoft APIs

Microsoft platforms, such as Azure Active Directory (now Microsoft Entra ID) and Microsoft Graph, utilize OAuth 2.0 for authentication and authorization. Refer to the specific API documentation for details on endpoints, required scopes, and registration procedures.

• Microsoft Graph API Documentation
• Microsoft Entra ID Developer Guide

Security Best Practices

• Always use HTTPS to protect data in transit.
• Store client secrets securely and never expose them in client-side code.
• Validate token signatures and expiration times.
• Implement token revocation mechanisms.
• Use the most secure flow appropriate for your application type.